My experiences as an IT professional - Anything that I write here is my personal opinion and should not be officially associated with any other entity

1 post from March 2011

Sunday, March 13, 2011

It seems that organizations are increasingly relying on Network Intrusion Detection Systems (NIDS) to monitor the security of their networks. While NIDS can certainly give IT staff insights in to what is going on with their network, these systems have several drawbacks that keep them from being the end-all-be-all of network security.

The biggest problem is that NIDS can't detect attacks within encrypted traffic. If an organization is tasked with protecting web based services that require HTTPS or SSL connections, any attacks done over those connections (cross site scripting, injections attacks (SQL or URL), or other attacks) will not be noticed by the NIDS systems. This means that many attacks will fly under the radar of organizations that don't employ other methods of security monitoring along side their NIDS.

Another issue with NIDS is that they are notoriously noisy. Since they typically need to monitor all network traffic and report on any anomalies found within those packets many ordinary behaviors will be trapped as possibly suspicious. This eats up precious manpower as analysts must routinely determine which reported items are noise and which are truly suspicious.

Which brings us to tuning of the NIDS. This can be a tricky task as you cannot simply disregard all traffic from trusted servers, because an insider (or a very crafty hacker) could compromise a trusted system and use it to perform attacks and again you would be none the wiser. However, without proper tuning the high number of false positives will render it extremely difficult to tell when real attacks have happened.

So what's the point of all this? That Intrustion Detection Systems can play an important role in helping an organization monitor network traffic for suspicious activity, however that they should be part of an overall layered defense strategy and should not be overly relied on to provide insights in to malicious attack attempts.

I recommend that NIDS be accompanied by systems that can monitor encrypted web traffic (web server log monitoring) as well as systems that monitor the configuration of all servers in a datacenter to ensure that they don't get out of compliance with organization configuration standards and security hardening best practices.